Fair points, all of them.

The nsa.gov thing: :)

The reals: 1. Hosting detection: I'm matching links TO GitHub as hosting ON GitHub. That's wrong. Fix incoming.

2. US-hosted sites getting 100%: My ASN lookup isn't catching everything. I opted against GeoIP services (privacy reasons), but clearly the ASN-only approach has to much gaps.

3. Social links vs embeds: You're right. A link to Twitter isn't a dependency. An embed is. Will differentiate.

4. gov.uk/gov.cn perfect scores: The tool checks infrastructure, not jurisdiction. gov.uk probably serves from EU edge nodes. That said, the name. Also tried to mention this in the Methodology-Modal. But iterating on all legalese and features same time as a single dev did not land well with my sleeping patterns for v0.1. Will fix that too.

"EU sovereignty" is misleading for non-EU countries - point taken. Will think about better framings.

It's HN catnip: Google PageSpeed Insights for /r/BuyFromEU slacktivism.

Yeah it's a neat idea. Unfortunately the execution is pretty poor.

This is more of an attempt at a political stunt. The CCP's website gets a perfect score, admin.ch also gets a perfect score while Switzerland is most-definitely not in the EU.. non-US is more accurate than EU but you only see that when stars start flying.

IMHO: Just scrap the politics and show what regional deps a site has - that'd actually increase value quite a bit.

Good point regarding registrar. Thinking a bit further, there's also the top-level domain: if that's under US control (eg .com), it could still be yanked away from you.

1. Link to X profile ≠ dependency on X. Will differentiate links from embeds in v0.2.

2. Registrar check is a good thinking. Already have some stubs in the codebase. Namecheap is US and could theoretically be compelled. Adding to roadmap.

Thanks!

If you post on X. You are a content creator supporting Elon.

Hi,

i have fixed the Vercel detection. Also added Netlify header detection (via x-nf-request-id).

DNS-proxieng is not taken into account. Maybe will do that in the future.

Thanks for reporting!

That actually says more about NSA security hygine and not getting high on your own supply.

Was a bug. Now some kind of Snowden-Approved-Feature.

It also says my website is hosted on GitHub pages, although it’s served from a hetzner server.

EDIT: on further inspection: I get both a red cross AND a green check mark for hosting. So it’s somehow indicating both GitHub and hetzner. Maybe it’s because I merely link to GitHub?

Thanks for the Bugs Bunny. I'm detecting a LINK to GitHub Pages and marking it as hosting. That's wrong - hosting should only flag when the actual page is served from there.

Re fonts: "self-hosted" means fonts served from your domain (vs Google Fonts CDN). If you're using system fonts, that's a detection error on my end.

Both going in on the fix list. Thanks.

Meanwhile I get a green check for CDN - presumably because I'm not using Cloudflare, but I am using CloudFront which is AWS.

So the tool's a good idea, but currently very inaccurate.

Meanwhile, mine is actually hosted on GH pages and I get a green mark and a perfect 100% score.

Funny, I checked a blog I host on github pages and it says "not detected" for hosting.

Bunny CDN (https://bunny.net) is great, HQ located in Ljubljana, Slovenia and also have great support which seems most faster and gives better responses than most others out there, but might just been my luck, YMMV.

First off, do you actually need it? I know cloudflare sells fear, but was you or anyone you know affected by a DDoS?

You can also tell the guy is German because of the strange hyphen between EU and Sovereignty. :P

I find it ironic that in Europe the defacto language for intercommunication is from a country that chose to disassociate itself from the EU. In all, I think it's great that every EU country uses the English language with all their idiosyncrasies and hell be damned about "proper" english.

EDIT 2 (48h later — shipped based on your feedback after a rough and a good night of sleep):

Should be fixed: - Hybrid Geoip + ASN detection (no more nsa.gov/google.com false positives) - AWS, Azure, Google Cloud, Cloudflare, DigitalOcean, Vercel, Netlify detection - Links vs embeds — href to Twitter ≠ dependency on Twitter - Lazy-loaded YouTube/Vimeo (lite-youtube facades) - Adequacy tier scoring — UK, Switzerland, Japan get -15 (trusted, not sovereign) instead of 0 - Unquoted iframe detection (LinkedIn embeds)

gov.cn no longer scores 100%. admin.ch no longer scores 100%. The "sovereignty" label now hopefully means something.

Still open: - DNS/registrar checks (v2) - One reported LetsEncrypt cert error (can't reproduce)

Details on Vercel: I try to detect via response headers (x-vercel-id), so custom domains are hopefully flagged correctly. Cloudflare for DNS is intentionally not pennalized — it's a proxy layer, not hosting (that was also stated in the methodology-popup from the beginning). I try that the origin server determines your hosting score.

Thanks to everyone who took the time. We (meaning all of you, who tested, tried and commented and maybe I, myself) made this tool hopefully significantly better.

And to have it stated here too: Though it might sound ironic or something (especially via a board like this): I and my partner never meant to insult anybody. We have profound respect for quality engineering outside of our borders. It even inspires us.

Ave Caesari, morituri te salutant.

Fixed: 1. GeoIP fallback 2. Links vs embeds 3. Migration costs

*GeoIP* - The ASN-only approach was too restrictive (I tested mostly with orf.at and such). Now using oschwald/geoip2-golang with DB-IP Lite. Hybrid detection: ASN for known providers, GeoIP fallback for everything else.

kapsi.fi now correctly shows as EU/Finland (was the false positive many caught). google.com: 54% (US detected), reddit.com: 94% (Canada - has EU adequacy decision). Added all EU adequacy countries (UK, Switzerland, Japan, Canada, etc.) - no penalty, but labeled "Adequate" not "EU". Im not sure on this one. Im sure we'd like to get UK back in the Union so we get to see the Rolling Stones more often.

*Embeds* - A link TO twitter.com is no longer flagged as a dependency. Only actual embeds (script src, iframes) count now. This might also fix the "links to GitHub flagged as GitHub Pages hosting" issue - same root.

*Costs* - Reduced. Google Fonts swap is now €50-150, not €400-800. Costs were too enterprisy, now for small sites like ours :)

Need to feed some cows now. Will iterate further when back. PS: Please dont roast the latin. Its been a while.

EDIT: Remove Api for now.

EDIT (after 150+ comments of roasting):

First: You are legends. Thanks for the massive roasting. Had a Haupt-Mieterversammlung directly after clicking "Submit" and was too tired (and scared) to directly address the issues afterwards. Reading your comments really delivers some intense cringe-moments over here seeing my bugs exposed. I try to frame it as some of the best feedback from some of the best engineers in the world. This helps (it does).

The core stuff: I chose to implement ASN-list lookups instead of a GeoIP service (to have less deps). Worked for my european test cases. Clearly not battle-tested enough for the wild.

What I'm hearing: - Hosting detection has false positives (detecting links as hosting) and false negatives (US-hosted sites scoring 100%) - Social media LINKS shouldn't count same as EMBEDS (fair point) - Missing: registrar, TLD jurisdiction, DNS location - AWS/Cloudflare detection is spotty - Migration cost estimates are too high for small sites - Some UI bugs on Firefox

What we shipped overnight (yes, while this was trending): - "Hotfix" for our scanning friends over nsa.gov What we ship from now on: - Fix the real bugs

v0.2 roadmap based on your feedback:

1. Hybrid GeoIP + ASN detection 2. Differentiate links vs embeds 3. Add registrar/TLD/DNS checks 4. Fix AWS/CloudFront/Cloudflare detection 5. Smarter migration cost estimates 6. UI fixes

Building in public. This is day 1.

To everyone who tested edge cases: you part of this tool soon :) To whover tested nsa.gov at 2am CET: I noticed.

I am not sure how much i will get done by today – maybe i will need to touch grass later a bit (or feeding the cows as we do it over here in austria)

Hey wink ()

true. some socialmedia was too aggressive - should be resolved.

for yt: i tried to fix the lazy-loaded YouTube detection. Tool now catches: - iframes with data-src - web components: <lite-youtube>, <lite-youtube-embed>, <youtube-video>, <lite-vimeo>, <lite-vimeo-embed>, <vimeo-video>

One thing I stumbled over: if YT-URL only lives inside a JS variable and gets injected on click with no trace in the HTML. That's a static analysis limitation.

And: React facades that load a YouTube thumbnail → already detected. React facades that use a local/self-hosted placeholder image with only a video ID in a data attribute → not detected.

You mind sharing a URL so I can verify it works against your site?

Thanks for helping already!

Is there any evidence that the US executive branches and three letter agencies care about the physical location of the data center? Never mind the dependency on AWS, which is a US company

I doubt datacenter location matters for anything beyond latency

I know some sites serve incomplete cert chains (missing the intermediate). Browsers fix this automatically, Go doesn't. have your tested a site with broken cert chain? got a url to share? Would help me pin down the issue.

Thanks!

Do you have links to any US social media on your site, that's getting a lot of people.

Right. Missed Azure. Fix is live now. Would be great if you could recheck and confirm. Thanks for helping me out by reporting.

Considering it. Backend is Go on a single-node K8s-"Cluster". Frontend is vanilla JS on the same Hetzner-Box. Code-situation in the midst of this ongoing "HN-Feuertaufe" is a bit … well.

What would make it useful for you - self-hosting capability, or contributing to detection logic?

I am considering a api but need stability first.

I really wish this existed so that HN could go back to being a tech community of nerds and builders. Somehow HN has become overrun with more and more urban monoculture euro-fetishists and actual Europeans in the last few years. I haven't seen a headline mentioning Rust or Lisp in days! That's how you know things have really gone downhill.

European HN could focus on its favorite topics of privacy paranoia, "what regulation can we make next?" and tech safetyism, while maybe real HN could go back to Bay Area tech esotericism and fun historical anecdotes.